Re: Wireshark-users Digest, Vol 58, Issue 9

[Paula Dufour <psdufour () gmail com>]

Hi,

The localhost address is used by the operating system as a way to pass
information through different processes of an application.  Netbackup is one
example.



Paula



On Thu, Mar 10, 2011 at 3:00 PM, <wireshark-users-request () wireshark org>wrote:

> Send Wireshark-users mailing list submissions to
>        wireshark-users () wireshark org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request () wireshark org
>
> You can reach the person managing the list at
>        wireshark-users-owner () wireshark org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. localhost versus url (Tony Anecito)
>   2. Re: localhost versus url (David Alanis)
>   3. Re: Help with Zigbee decryption (Joe Desbonnet)
>   4. Re: localhost versus url (Jaap Keuter)
>   5. Re: localhost versus url (Guy Harris)
>   6. Re: Help with Zigbee decryption (Maynard, Chris)
>   7. question about SCTP multi-homing (WangWeiguo)
>   8. Re: localhost versus url (Tony Anecito)
>   9. Re: localhost versus url (Tony Anecito)
>  10. Re: localhost versus url (Jaap Keuter)
>  11. Re: localhost versus url (Tony Anecito)
>  12. Re: question about SCTP multi-homing (Michael T?xen)
>  13. Re: question about SCTP multi-homing (Jeff Morriss)
>  14. Re: Help with Zigbee decryption (Guy Harris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 9 Mar 2011 14:11:33 -0800 (PST)
> From: Tony Anecito <adanecito () yahoo com>
> To: Wireshark Users <wireshark-users () wireshark org>
> Subject: [Wireshark-users] localhost versus url
> Message-ID: <957435.27881.qm () web113614 mail gq1 yahoo com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi All,
>
> I was running some performance tests last week and noticed with the client
> app
> running on the same server or apache web server machine the response time
> was
> much better when using localhost in the url versus my domain name.?I
> assumed
> somehow the connection is bypassing my router and connecting to the apache
> process directly. Is that so and if not what should I see on Wireshark if
> anything? Or is even the tcp/ip stack short circuited?
>
> Thanks,
> -Tony
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 09 Mar 2011 17:28:26 -0600
> From: David Alanis <canito () dalan us>
> To: wireshark-users () wireshark org
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <20110309172826.mdv02xxdisw88ws4 () mail dalan us>
> Content-Type: text/plain;       charset=ISO-8859-1;     DelSp="Yes";
>        format="flowed"
>
> Quoting Tony Anecito <adanecito () yahoo com>:
>
> > Hi All,
> >
> > I was running some performance tests last week and noticed with the
> > client app
> > running on the same server or apache web server machine the response time
> was
> > much better when using localhost in the url versus my domain name.
>
> Do you have the domain entered correctly in your /etc/hosts file?
>
> During your performance tests whilst using the FQDN did you notice any
> weird DNS/Reverse lookups for your domain name?
>
> That definately sounds fishy, but not improbable.
>
> > ?I assumed
> > somehow the connection is bypassing my router and connecting to the
> apache
> > process directly. Is that so and if not what should I see on Wireshark if
> > anything? Or is even the tcp/ip stack short circuited?
>
> Let me make sure I understand, if you configure Apache (e.g.) with the
> domain name it is much slower than configuring Apache with the
> localhost name?
>
> > Thanks,
> > -Tony
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> >
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 9 Mar 2011 23:38:51 +0000
> From: Joe Desbonnet <joe () galway net>
> To: wireshark-users () wireshark org
> Subject: Re: [Wireshark-users] Help with Zigbee decryption
> Message-ID:
>        <AANLkTincGhAxvwcXJBTAQjYNUHUD0V9_AcyYLzAA3no=@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> To answer my own question. I succeeded in decrypting ZigBee HA (Home
> Automation) profile packets a while back, but thought it worth
> mentioning here in case anyone else has the same problem.
>
> I upgraded to version 1.4.3 of Wireshark. Then set the following:
> Edit -> Preferences... -> Protocols -> ZigBee NWK
>
> Security Level: AES-128 Encryption, 32-bit Integrity Protection
> Network Key: 39:30:65:63:6E:61:69:6C:6C:41:65:65:42:67:69:5A
> (that's the ASCII values of ZigBeeAlliance09 *in reverse*)
>
> BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from
> Microchip Technologies, I've written a short Linux C utility that
> streams the packets from the device in PCAP format and can be piped
> into Wireshark. Details here: http://code.google.com/p/microchip-zena/
>
> Joe.
>
>
> On Fri, Jan 14, 2011 at 12:38 AM, Joe Desbonnet <joe () galway net> wrote:
> > I'm attempting to sniff and decrypt packets in home automation
> > equipment which is supposed to be setup with encryption key
> > "ZigBeeAlliance09".
> >
> > I've entered ZigBeeAlliance09 as a string in the "Network Key" field
> > in Edit -> Preferences -> Protocols -> Zigbee NWK
> > however the UI does not seem to be acting on it.
> >
> > In the packet view under Zigbee Security Header I have a collapsible
> node:
> > ?[Expert Info (Warn/Undecoded): Encrypted Payload]
> > ?[Message: Encrypted Payload]
> > ?[Severity level: warn]
> > ?[Group: Undecoded]
> >
> > Then the Data node just lists the data from the packet verbatim (no
> decryption).
> > What must I do to decrypt this payload? I've tried other random
> > strings for the key and it makes no difference. It doesn't seem to be
> > trying to decrypt.
> >
> > To reproduce my problem see the pcap capture file here:
> > http://www.mail-archive.com/wireshark-bugs () wireshark org/msg24773.html
> > (file bug5331_test.pcap). The text of the bug implies it uses the same
> > key (ZigBeeAlliance09). Look at the first packet. The payload is two
> > bytes 0xb9 0x06 (encrypted). I cannot find any way view the decrypted
> > packet.
> >
> > I'm using the standard Ubuntu package (version 1.2.7) and I also tried
> > the latest version 1.4.3.
> >
> > Any pointers or suggestions would be greatly appreciated.
> >
> > Thanks in advance,
> >
> > Joe.
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 10 Mar 2011 08:19:12 +0100
> From: Jaap Keuter <jaap.keuter () xs4all nl>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <4D787B70.3090006 () xs4all nl>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello Tony,
>
> Assuming your domain name is resolved to your public IP address on the
> outside
> of the firewall/NAT, your assumption is right.
>
> When entering localhost in the URL, that's resolved to 127.0.0.1, your
> local
> machines loopback interface. No Ethernet networking involved, so watching
> with
> Wireshark won't show this traffic at all (unless capturing the on the
> loopback
> interface on a !Windows machine).
>
> When entering the FQDN in the URL, that's resolved to your outside address.
> Browser traffic flows to that address first, then comes back to access the
> Apache server. Now you'll see the traffic when you capture on the network
> interface, once going out and once coming in.
>
> In the circumstance that there's no NAT involved (so your outside address
> is
> your interface address) you still end up with more delay that going through
> the
> loopback interface. The extra DNS interactions, and probably additional
> safety
> measures of your platform, take away a little time for every object
> retrieved.
>
> Thanks,
> Jaap
>
> On 03/09/2011 11:11 PM, Tony Anecito wrote:
> > Hi All,
> >
> > I was running some performance tests last week and noticed with the
> client app
> > running on the same server or apache web server machine the response time
> was
> > much better when using localhost in the url versus my domain name. I
> assumed
> > somehow the connection is bypassing my router and connecting to the
> apache
> > process directly. Is that so and if not what should I see on Wireshark if
> > anything? Or is even the tcp/ip stack short circuited?
> >
> > Thanks,
> > -Tony
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 9 Mar 2011 23:39:09 -0800
> From: Guy Harris <guy () alum mit edu>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <4D2C809E-01C4-417C-ACF9-C1E92F922075 () alum mit edu>
> Content-Type: text/plain; charset=us-ascii
>
>
> On Mar 9, 2011, at 11:19 PM, Jaap Keuter wrote:
>
> > Assuming your domain name is resolved to your public IP address on the
> outside of the firewall/NAT, your assumption is right.
> > When entering localhost in the URL, that's resolved to 127.0.0.1, your
> local machines loopback interface. No Ethernet networking involved, so
> watching with Wireshark won't show this traffic at all (unless capturing the
> on the loopback interface on a !Windows machine).
>
> !Windows && !Solaris - Solaris (except perhaps in OpenSolaris 11) doesn't
> support a capture mechanism that can listen to loopback traffic.
>
> On the other hand:
>
> > When entering the FQDN in the URL, that's resolved to your outside
> address. Browser traffic flows to that address first, then comes back to
> access the Apache server. Now you'll see the traffic when you capture on the
> network interface, once going out and once coming in.
>
> ...in at least some operating systems, even attempts to send packets to one
> of your own network addresses will go through the same path as attempts to
> send packets to 127.0.0.1, so either you won't be able to capture them at
> all, on Windows (where there is no equivalent to UN*X loopback interfaces;
> the Windows "loopback interface" is different) or on UN*Xes where you can't
> capture in the loopback interface, or you'll have to capture them on the
> loopback interface, just as you capture traffic to 127.0.0.1.
>
> > In the circumstance that there's no NAT involved (so your outside address
> is your interface address) you still end up with more delay that going
> through the loopback interface. The extra DNS interactions, and probably
> additional safety measures of your platform, take away a little time for
> every object retrieved.
>
> My guess is that's the performance issue; traffic from your machine to one
> of its non-loopback IP addresses, or to its loopback address, largely go
> through the same code path, so it's probably that looking up the host name
> via DNS is slower than looking up "loopback" or that something else is
> triggered by traffic to a local address that's not triggered by traffic to
> 127.0.0.1.
>
> ------------------------------
>
> Message: 6
> Date: Thu, 10 Mar 2011 09:48:27 -0500
> From: "Maynard, Chris" <Christopher.Maynard () GTECH COM>
> To: 'Community support list for Wireshark'
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] Help with Zigbee decryption
> Message-ID:
>        <
> FEA7253CE01175418CE6A9BE162A91552A066A345B () RIMAILMBX2 gtk gtech com>
> Content-Type: text/plain; charset="us-ascii"
>
> Thanks for the information Joe.  I posted a link to your tool on the
> Wireshark wiki: http://wiki.wireshark.org/WPANFamily
> - Chris
>
> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] On Behalf Of Joe Desbonnet
> Sent: Wednesday, March 09, 2011 6:39 PM
> To: wireshark-users () wireshark org
> Subject: Re: [Wireshark-users] Help with Zigbee decryption
>
> BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from
> Microchip Technologies, I've written a short Linux C utility that
> streams the packets from the device in PCAP format and can be piped
> into Wireshark. Details here: http://code.google.com/p/microchip-zena/
>
>
> - end -
>
> CONFIDENTIALITY NOTICE: The contents of this email are confidential
> and for the exclusive use of the intended recipient. If you receive this
> email in error, please delete it from your system immediately and
> notify us either by email, telephone or fax. You should not copy,
> forward, or otherwise disclose the content of the email.
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 11 Mar 2011 02:03:08 +0800
> From: WangWeiguo <encwgwg () hotmail com>
> To: <wireshark-users () wireshark org>
> Subject: [Wireshark-users] question about SCTP multi-homing
> Message-ID: <SNT114-W863E5652A933AFEA48DFBA7C80 () phx gbl>
> Content-Type: text/plain; charset="gb2312"
>
>
> Hi all,
> Anyone can help with this SCTP multi-homing question?  I've read the spec.
> (RFC 4960) and googled, but still it's quite hard to really understand the
> essentials of the multi-homing.
>
> The question is based on the diagram as following, which is a SCTP
> association beteen End Point A and B, on each End Point has two IP addresses
> serving this SCTP association:
>
> Node A          Node B
> IP A1   ------- IP B1
>            \     /
>              \ /
>              /\
>            /    \
> IP A2   ------ IP B2
>
> In this way, there are actually 4 physical links in this single
> association: A1 -> B1,  A2 -> B2, A1 -> B2, and A2 -> B1.
>
> The question is: among these 4 links, how many can be defined as Prime?
> > From the spec., it looks like only one pair of IP addresses (ig. A1->B1)
> can be defined as prime so all traffic actually just goes on this link only,
> however in this way it means that among the 4 available links, only one is
> bearing traffic in normal cases and all other 3 are standby in case of prime
> failure, it doesn't look like make sense if compare to the possibility of
> having 2 out of 4 as prime and other 2 as standby. Furthermore, in case of
> prime (say A1-> B1) failure, which of the other three will take over and how
> are they prioritized?
>
> Thanks.
>
> Kevin. Wong.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.wireshark.org/lists/wireshark-users/attachments/20110311/24ffbd53/attachment.html
> >
>
> ------------------------------
>
> Message: 8
> Date: Thu, 10 Mar 2011 10:04:56 -0800 (PST)
> From: Tony Anecito <adanecito () yahoo com>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <543194.98893.qm () web113620 mail gq1 yahoo com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi David,
>
> My Domain name is registered with godaddy.
>
> I have not tried Wireshark yet I was hoping this is commonly known why the
> network would do this magic.
>
> I will look at the other responses.
>
> Many thanks for the quick feedback!
>
> -Tony
>
>
>
> ----- Original Message ----
> From: David Alanis <canito () dalan us>
> To: wireshark-users () wireshark org
> Sent: Wed, March 9, 2011 4:28:26 PM
> Subject: Re: [Wireshark-users] localhost versus url
>
> Quoting Tony Anecito <adanecito () yahoo com>:
>
> > Hi All,
> >
> > I was running some performance tests last week and noticed with the?
> client
> app
> > running on the same server or apache web server machine the response time
> was
> > much better when using localhost in the url versus my domain name.
>
> Do you have the domain entered correctly in your /etc/hosts file?
>
> During your performance tests whilst using the FQDN did you notice any
> weird
> DNS/Reverse lookups for your domain name?
>
> That definately sounds fishy, but not improbable.
>
> > ?I assumed
> > somehow the connection is bypassing my router and connecting to the
> apache
> > process directly. Is that so and if not what should I see on Wireshark if
> > anything? Or is even the tcp/ip stack short circuited?
>
> Let me make sure I understand, if you configure Apache (e.g.) with the
> domain
> name it is much slower than configuring Apache with the localhost name?
>
> > Thanks,
> > -Tony
> ___________________________________________________________________________
> > Sent via:? ? Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:? ? http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > ? ? ? ? ? ? ? mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> >
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> ___________________________________________________________________________
> Sent via:? ? Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:? ? http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 10 Mar 2011 10:12:31 -0800 (PST)
> From: Tony Anecito <adanecito () yahoo com>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <597719.68738.qm () web113601 mail gq1 yahoo com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi Jaap,
>
> Many thanks that makes sense. I do have a router with a set of static ips
> provided by my isp and one of the ips is registered with godaddy and is
> tied to
> my own domain name and that was what I was using prior to using localhost.
> I did
> notice on wireshark when using my domain I would see what you described.
>
> I wonder what layers of the OSI 7 layer model is bypassed? I would think
> the
> first three (1-3) would be bypassed?
>
> Thanks,
> -Tony
>
>
>
> ----- Original Message ----
> From: Jaap Keuter <jaap.keuter () xs4all nl>
> To: Community support list for Wireshark <wireshark-users () wireshark org>
> Sent: Thu, March 10, 2011 12:19:12 AM
> Subject: Re: [Wireshark-users] localhost versus url
>
> Hello Tony,
>
> Assuming your domain name is resolved to your public IP address on the
> outside
> of the firewall/NAT, your assumption is right.
>
> When entering localhost in the URL, that's resolved to 127.0.0.1, your
> local
> machines loopback interface. No Ethernet networking involved, so watching
> with
> Wireshark won't show this traffic at all (unless capturing the on the
> loopback
> interface on a !Windows machine).
>
> When entering the FQDN in the URL, that's resolved to your outside address.
> Browser traffic flows to that address first, then comes back to access the
> Apache server. Now you'll see the traffic when you capture on the network
> interface, once going out and once coming in.
>
> In the circumstance that there's no NAT involved (so your outside address
> is
> your interface address) you still end up with more delay that going through
> the
> loopback interface. The extra DNS interactions, and probably additional
> safety
> measures of your platform, take away a little time for every object
> retrieved.
>
> Thanks,
> Jaap
>
> On 03/09/2011 11:11 PM, Tony Anecito wrote:
> > Hi All,
> >
> > I was running some performance tests last week and noticed with the
> client app
> > running on the same server or apache web server machine the response time
> was
> > much better when using localhost in the url versus my domain name. I
> assumed
> > somehow the connection is bypassing my router and connecting to the
> apache
> > process directly. Is that so and if not what should I see on Wireshark if
> > anything? Or is even the tcp/ip stack short circuited?
> >
> > Thanks,
> > -Tony
>
> ___________________________________________________________________________
> Sent via:? ? Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:? ? http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Thu, 10 Mar 2011 19:36:29 +0100
> From: Jaap Keuter <jaap.keuter () xs4all nl>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <4D791A2D.4070205 () xs4all nl>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
>
> Well, the relationship with OSI layers is a bit awkward, but if you want to
> talk
> layers, you end up circumventing the Datalink and Physical Layers when
> going
> through the loopback. The Network Layer determines that the packet doesn't
> need
> to go to a physical network interface, but rigtht back into the network
> stack.
>
> Thanks,
> Jaap
>
> On 03/10/2011 07:12 PM, Tony Anecito wrote:
> > Hi Jaap,
> >
> > Many thanks that makes sense. I do have a router with a set of static ips
> > provided by my isp and one of the ips is registered with godaddy and is
> tied to
> > my own domain name and that was what I was using prior to using
> localhost. I did
> > notice on wireshark when using my domain I would see what you described.
> >
> > I wonder what layers of the OSI 7 layer model is bypassed? I would think
> the
> > first three (1-3) would be bypassed?
> >
> > Thanks,
> > -Tony
> >
> >
> >
> > ----- Original Message ----
> > From: Jaap Keuter<jaap.keuter () xs4all nl>
> > To: Community support list for Wireshark<wireshark-users () wireshark org>
> > Sent: Thu, March 10, 2011 12:19:12 AM
> > Subject: Re: [Wireshark-users] localhost versus url
> >
> > Hello Tony,
> >
> > Assuming your domain name is resolved to your public IP address on the
> outside
> > of the firewall/NAT, your assumption is right.
> >
> > When entering localhost in the URL, that's resolved to 127.0.0.1, your
> local
> > machines loopback interface. No Ethernet networking involved, so watching
> with
> > Wireshark won't show this traffic at all (unless capturing the on the
> loopback
> > interface on a !Windows machine).
> >
> > When entering the FQDN in the URL, that's resolved to your outside
> address.
> > Browser traffic flows to that address first, then comes back to access
> the
> > Apache server. Now you'll see the traffic when you capture on the network
> > interface, once going out and once coming in.
> >
> > In the circumstance that there's no NAT involved (so your outside address
> is
> > your interface address) you still end up with more delay that going
> through the
> > loopback interface. The extra DNS interactions, and probably additional
> safety
> > measures of your platform, take away a little time for every object
> retrieved.
> > Thanks,
> > Jaap
> >
> > On 03/09/2011 11:11 PM, Tony Anecito wrote:
> > > Hi All,
> > >
> > > I was running some performance tests last week and noticed with the
> client app
> > > running on the same server or apache web server machine the response
> time was
> > > much better when using localhost in the url versus my domain name. I
> assumed
> > > somehow the connection is bypassing my router and connecting to the
> apache
> > > process directly. Is that so and if not what should I see on Wireshark
> if
> > > anything? Or is even the tcp/ip stack short circuited?
> > >
> > > Thanks,
> > > -Tony
>
>
>
> ------------------------------
>
> Message: 11
> Date: Thu, 10 Mar 2011 10:42:05 -0800 (PST)
> From: Tony Anecito <adanecito () yahoo com>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] localhost versus url
> Message-ID: <196569.32993.qm () web113605 mail gq1 yahoo com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Thanks Jaap I was looking into that and I believe you are right even about
> the
> relationship with OSI!
>
> Best Regards,
> -Tony
>
>
>
> ----- Original Message ----
> From: Jaap Keuter <jaap.keuter () xs4all nl>
> To: Community support list for Wireshark <wireshark-users () wireshark org>
> Sent: Thu, March 10, 2011 11:36:29 AM
> Subject: Re: [Wireshark-users] localhost versus url
>
> Hi,
>
> Well, the relationship with OSI layers is a bit awkward, but if you want to
> talk
>
> layers, you end up circumventing the Datalink and Physical Layers when
> going
> through the loopback. The Network Layer determines that the packet doesn't
> need
> to go to a physical network interface, but rigtht back into the network
> stack.
>
> Thanks,
> Jaap
>
> On 03/10/2011 07:12 PM, Tony Anecito wrote:
> > Hi Jaap,
> >
> > Many thanks that makes sense. I do have a router with a set of static ips
> > provided by my isp and one of the ips is registered with godaddy and is
> tied
> to
> > my own domain name and that was what I was using prior to using
> localhost. I
> > did
> > notice on wireshark when using my domain I would see what you described.
> >
> > I wonder what layers of the OSI 7 layer model is bypassed? I would think
> the
> > first three (1-3) would be bypassed?
> >
> > Thanks,
> > -Tony
> >
> >
> >
> > ----- Original Message ----
> > From: Jaap Keuter<jaap.keuter () xs4all nl>
> > To: Community support list for Wireshark<wireshark-users () wireshark org>
> > Sent: Thu, March 10, 2011 12:19:12 AM
> > Subject: Re: [Wireshark-users] localhost versus url
> >
> > Hello Tony,
> >
> > Assuming your domain name is resolved to your public IP address on the
> outside
> > of the firewall/NAT, your assumption is right.
> >
> > When entering localhost in the URL, that's resolved to 127.0.0.1, your
> local
> > machines loopback interface. No Ethernet networking involved, so watching
> with
> > Wireshark won't show this traffic at all (unless capturing the on the
> loopback
> > interface on a !Windows machine).
> >
> > When entering the FQDN in the URL, that's resolved to your outside
> address.
> > Browser traffic flows to that address first, then comes back to access
> the
> > Apache server. Now you'll see the traffic when you capture on the network
> > interface, once going out and once coming in.
> >
> > In the circumstance that there's no NAT involved (so your outside address
> is
> > your interface address) you still end up with more delay that going
> through
> the
> > loopback interface. The extra DNS interactions, and probably additional
> safety
> > measures of your platform, take away a little time for every object
> retrieved.
> > Thanks,
> > Jaap
> >
> > On 03/09/2011 11:11 PM, Tony Anecito wrote:
> > > Hi All,
> > >
> > > I was running some performance tests last week and noticed with the
> client
> app
> > > running on the same server or apache web server machine the response
> time was
> > > much better when using localhost in the url versus my domain name. I
> assumed
> > > somehow the connection is bypassing my router and connecting to the
> apache
> > > process directly. Is that so and if not what should I see on Wireshark
> if
> > > anything? Or is even the tcp/ip stack short circuited?
> > >
> > > Thanks,
> > > -Tony
>
> ___________________________________________________________________________
> Sent via:? ? Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:? ? http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
>
>
>
> ------------------------------
>
> Message: 12
> Date: Thu, 10 Mar 2011 20:11:54 +0100
> From: Michael T?xen <Michael.Tuexen () lurchi franken de>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] question about SCTP multi-homing
> Message-ID: <9BD6F17D-38F7-47B8-8A15-BA89188F3182 () lurchi franken de>
> Content-Type: text/plain; charset=us-ascii
>
> On Mar 10, 2011, at 7:03 PM, WangWeiguo wrote:
>
> > Hi all,
> > Anyone can help with this SCTP multi-homing question?  I've read the
> spec. (RFC 4960) and googled, but still it's quite hard to really understand
> the essentials of the multi-homing.
> > The question is based on the diagram as following, which is a SCTP
> association beteen End Point A and B, on each End Point has two IP addresses
> serving this SCTP association:
> > Node A          Node B
> > IP A1   ------- IP B1
> >             \     /
> >               \ /
> >               /\
> >             /    \
> > IP A2   ------ IP B2
> >
> > In this way, there are actually 4 physical links in this single
> association: A1 -> B1,  A2 -> B2, A1 -> B2, and A2 -> B1.
> > The question is: among these 4 links, how many can be defined as Prime?
> Typically, one of the remote peers addresses is considered a primary path
> (and the source address
> will be selected based on the routing table). Also remote addresses are
> supervised using HEARTBEATs.
> > From the spec., it looks like only one pair of IP addresses (ig. A1->B1)
> can be defined as prime so all traffic actually
> The SCTP stack will select the primary address. Using the socket API, the
> application can
> also specify which remote address should be the primary.
> > just goes on this link only, however in this way it means that among the
> 4 available links, only one is bearing traffic in normal cases and all other
> 3 are standby in case of prime failure, it doesn't look like make sense if
> compare to the
> Please note, that each node will supervise two remote addresses.
> > possibility of having 2 out of 4 as prime and other 2 as standby.
> Furthermore, in case of prime (say A1-> B1) failure, which of the other
> three will take over and how are they prioritized?
> The socket API does not provide a way to indicate where to failover to.
> However, the application can handle notifications indicating that a path
> state
> changes to UNREACHABLE and then set a new primary path.
>
> The socket API I'm referring to is available at
> http://tools.ietf.org/html/draft-ietf-tsvwg-sctpsocket
> which is implemented (partly) by FreeBSD, Linux and Solaris.
>
> Best regards
> Michael
> > Thanks.
> >
> > Kevin. Wong.
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
> ------------------------------
>
> Message: 13
> Date: Thu, 10 Mar 2011 14:24:41 -0500
> From: Jeff Morriss <jeff.morriss.ws () gmail com>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] question about SCTP multi-homing
> Message-ID: <4D792579.8020402 () gmail com>
> Content-Type: text/plain; charset=GB2312
>
> WangWeiguo wrote:
> > Hi all,
> > Anyone can help with this SCTP multi-homing question?  I've read the
> > spec. (RFC 4960) and googled, but still it's quite hard to really
> > understand the essentials of the multi-homing.
> >
> > The question is based on the diagram as following, which is a SCTP
> > association beteen End Point A and B, on each End Point has two IP
> > addresses serving this SCTP association:
> >
> > Node A          Node B
> > IP A1   ------- IP B1
> >             \     /
> >               \ /
> >               /\
> >             /    \
> > IP A2   ------ IP B2
> >
> > In this way, there are actually 4 physical links in this single
> > association: A1 -> B1,  A2 -> B2, A1 -> B2, and A2 -> B1.
> >
> > The question is: among these 4 links, how many can be defined as Prime?
> >  From the spec., it looks like *_only one_* pair of IP addresses (ig.
> > A1->B1) can be defined as prime so all traffic actually just goes on
> > this link only, however in this way it means that among the 4 available
> > links, only one is bearing traffic in normal cases and all other 3 are
> > standby in case of prime failure, it doesn't look like make sense if
> > compare to the possibility of having 2 out of 4 as prime and other 2 as
> > standby. Furthermore, in case of prime (say A1-> B1) failure, which of
> > the other three will take over and how are they prioritized?
>
> When asking a new question or starting a new topic of discussion, please
> do not reply to an email on another topic.  Doing so messes up the
> threading (grouping of messages with the same topic together) in many
> email clients.
>
> The IETF tsvwg mailing list might be a good place to discuss this too.
>
> Anyway, yes, only one pair of IP addresses would be considered the
> primary.  The idea (in 4960) is that all packets should (excepting
> retransmissions) travel on the same path until path failover.  (There is
> a draft for loadsharing on all paths.)
>
> In the case of primary path failure, the same 4960 clause applies:
>
> >    When retransmitting data that timed out, if the endpoint is multi-
> >    homed, it should consider each source-destination address pair in its
> >    retransmission selection policy.  When retransmitting timed-out data,
> >    the endpoint should attempt to pick the most divergent source-
> >    destination pair from the original source-destination pair to which
> >    the packet was transmitted.
> >
> >    Note: Rules for picking the most divergent source-destination pair
> >    are an implementation decision and are not specified within this
> >    document.
>
> As it says, "most divergent" is more complicated when you're dealing
> with both source and destination IP addresses.  To me, this means
> "change both the source and destination addresses."  Of course if you
> have more than 2 source and/or destination IP addresses, then you have
> more than 1 equally divergent choices.
>
>
> ------------------------------
>
> Message: 14
> Date: Thu, 10 Mar 2011 11:25:46 -0800
> From: Guy Harris <guy () alum mit edu>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] Help with Zigbee decryption
> Message-ID: <BFFF69E6-72C2-4A07-BE9D-CB167FD99B02 () alum mit edu>
> Content-Type: text/plain; charset=us-ascii
>
>
> On Mar 9, 2011, at 3:38 PM, Joe Desbonnet wrote:
>
> > BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from
> > Microchip Technologies, I've written a short Linux C utility that
> > streams the packets from the device in PCAP format and can be piped
> > into Wireshark. Details here: http://code.google.com/p/microchip-zena/
>
> At some point, it might be interesting to incorporate that code into
> libpcap.  The main issue is that it would need a libpcap API to select the
> channel, but that can be added.
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users () wireshark org
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 58, Issue 9
> **********************************************



-- 
Paula Dufour
410-857-9069 (h)
301-939-7918 (w)
443-340-9839 (c)
psdufour () gmail com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe